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Abstract. We study the equivalence relation on states of labelled transition systems of 
satisfying the same formulas in Computation Tree Logic without the next state modality 

(CTI x). This relation is obtained by De Nicola & Vaandrager by translating labelled 

transition systems to Kripke structures, while lifting the totality restriction on the latter. 
They characterised it as divergence sensitive branching bisimulation equivalence. 

We find that this equivalence fails to be a congruence for interleaving parallel composi- 
tion. The reason is that the proposed application of CTI x to non-total Kripke structures 

lacks the expressiveness to cope with deadlock properties that are important in the context 

of parallel composition. We propose an extension of CTI x, or an alternative treatment 

of non-totality, that fills this hiatus. The equivalence induced by our extension is charac- 
terised as branching bisimulation equivalence with explicit divergence, which is, moreover, 
shown to be the coarsest congruence contained in divergence sensitive branching bisimu- 
lation equivalence. 



CTL* [7j is a powerful state-based temporal logic combining linear time and branching time 
modalities; it generalises the branching time temporal logic CTL [BJ. CTL* is interpreted 
in terms of Kripke structures, directed graphs together with a labelling function assigning 
to every node of the graph a set of atomic propositions. As the next state modality X 
is incompatible with abstraction of the notion of state, it is often excluded in high-level 
specifications. By CTL1 X we denote CTL* without this modality. To characterise the 
equivalence induced on states of Kripke structures by validity of CTL*_ X formulas, Browne, 
Clarke & Grumberg [3] defined the notion of stuttering equivalence. They proved that two 
states in a finite Kripke structure are stuttering equivalent if and only if they satisfy the 
same CTL*_ X formulas, and moreover, they established that this is already the case if and 
only if the two states satisfy the same CTI x formulas. 
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There is an intuitive correspondence between the notions of stuttering equivalence on 
Kripke structures and branching bisimulation equivalence |10j on labelled transition sys- 
tems (LTSs), directed graphs of which the edges are labelled with actions. De Nicola & 
Vaandrager [5] have provided a framework for constructing natural translations between 
LTSs and Kripke structures in which this correspondence can be formalised. Stuttering 
equivalence corresponds in their framework to a divergence sensitive variant of branching 
bisimulation equivalence, and conversely, branching bisimulation equivalence corresponds to 
a divergence blind variant of stuttering equivalence. The latter characterises the equivalence 
induced on states of Kripke structures by a divergence blind variant of validity of CTI_1 X 
formulas. 

In [HO [3] and other work on CTL*, Kripke structures are required to be total, meaning 
that every state has an outgoing transition. These correspond with LTSs that are deadlock- 
free. In the world of LTSs requiring deadlock-freeness is considered a serious limitation, 
as deadlock is introduced by useful process algebraic operators like the restriction of CCS 
and the synchronous parallel composition of CSP. Conceptually, a deadlock may arise as 
the result of an unsuccessful synchronisation attempt between parallel components, and 
often one wants to verify that the result of a parallel composition is deadlock-free. This is, 
of course, only possible when working in a model of concurrency where deadlocks can be 
expressed. 

Through the translations of [5] it is possible to define the validity of CTL*1 X formulas 
on states of LTSs. To apply CTI_l x -formulas to LTSs that may contain deadlocks, De 
Nicola &; Vaandrager [5] consider Kripke structures with deadlocks as well, and hence lift 
the requirement of totality. They do so by using maximal paths instead of infinite paths in 
the definition of validity of CTI_1 X formulas. Without further changes, this amounts to the 
addition of a self-loop to every deadlock state. As a consequence, CTI_1 X formulas cannot 
see the difference between a state without outgoing transitions (a deadlock) and one whose 
only outgoing transition constitutes a self-loop (a livelock), and accordingly a deadlock state 
is stuttering equivalent to a livelock state that satisfies the same atomic propositions. This 
paper will challenge the wisdom of this set-up. 

We observe that for systems with deadlock, the divergence sensitive branching bisimu- 
lation equivalence of [5] fails to be a congruence for interleaving operators. We characterise 
the coarsest congruence contained in divergence sensitive branching bisimulation equiva- 
lence as the branching bisimulation equivalence with explicit divergence introduced in |10j . 
This equivalence differs from divergence sensitive branching bisimulation equivalence in that 
it distinguishes deadlock and livelock. For deadlock-free systems the equivalences coincide. 

Having established that the framework of [5] turns CTI_1 X into a logic on LTSs that 
induces an equivalence under which interleaving parallel composition fails to be compo- 
sitional, we propose two adaptations to this framework that both make CTL^ X induce 
branching bisimulation equivalence with explicit divergence and thus restore composition- 
ality. Our first adaptation preserves the treatment of non-totality of [5] as well as their 
translations between LTSs and Kripke structures, but extends the language CTI_1 X so that 
it can distinguish deadlock from successful termination. Our second adaptation preserves 
the totality requirement on Kripke structures but modifies the translation from LTSs to 
Kripke structures. One of our main results is that both adaptations are equivalent in the 
sense that they induce equally expressive logics on LTSs. In the following two paragraphs 
we discuss these adaptations in more detail. 
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That divergence sensitive branching bisimulation equivalence is not a congruence for 
interleaving operators means that there are properties of concurrent systems, pertaining to 
their deadlock behaviour, that (in the framework of [5]) cannot be expressed in CTI_1 X , 
but that can be expressed in terms of the validity of a CTI_1 X formula on the result of 
putting these systems in a given context involving an interleaving operator. We find this 
unsatisfactory, and therefore propose an extension of CTI_1 X in which this type of property 
can be expressed directly. We obtain that two states are branching bisimulation equivalent 
with explicit divergence if and only if they satisfy the same formulas in the resulting logic. 

Treating CTI x hi the same way leads either to an extension of CTI x or, equivalently, 

to a modification of its semantics. The new semantics we propose for CTI x is a valid 

extension of the original semantics [6] to non-total Kripke structures. It slightly differs 
from the semantics of [5j and it is arguably better suited to deal with deadlock behaviour. 

Instead of extending CTI_1 X or modifying CTI x we also achieve the same effect by 

amending the translation from LTSs to Kripke structures in such a way that every LTS maps 
to a total Kripke structure. This amended translation consist of any of the translations in 
the framework of [5] followed by a postprocessing stage introducing a fresh state sg, labelled 
by a fresh atomic proposition expressing the property of having deadlocked, and a transition 
from all deadlock states, and ss itself, to sg. Adding self- loops and a fresh atomic proposition 
expressing deadlock (or just a fresh atomic proposition expressing deadlock) to deadlock 
states themselves does not have the desired effect, for it yields logics that are too expressive. 

From the point of view of practical applications our work allows the rich tradition of 
verification by equivalence checking to be combined with the full expressive power of CTL^ X . 
In equivalence checking, three properties of the chosen equivalence have been found indis- 
pensable [2]: compositionality — in particular parallel composition being a congruence — is a 
crucial requirement to combat the state explosion problem; the ability to represent dead- 
lock is crucial in ascertaining deadlock-freedom; and abstraction from internal activity — and 
thus from the concept of a "next state" — is crucial to get a firm grasp of correctness. Our 
work is the first that allows specification by arbitrary CTI_1 X formulas to be incorporated 
in this framework, without giving up any of these essential properties. 

Given the existence of adequate translations between LTSs and Kripke structures, we 
could have presented the results of this paper entirely within the framework of Kripke struc- 
tures, or entirely within the framework of LTSs. Using Kripke structures only would entail 
defining a parallel composition on Kripke structures — which is possible by lifting the paral- 
lel composition on LTSs through the appropriate translations. However, Kripke structures 
are traditionally used for global descriptions of systems; building system descriptions mod- 
ularly by parallel composition, while worrying about deadlocks that may be introduced in 
this process, would be a novel approach in itself. For establishing the results of this paper 
it is much more appropriate to build on the rich tradition of composing LTSs by parallel 
composition, and the known importance of deadlock behaviour within this framework. 

Using just LTSs, on the other hand, would require lifting CJl*_ x to the world of LTSsQ 
Here we could build on the work of De Nicola and Vaandrager [JJ, who defined the logic 
ACTL* on LTSs and showed that it corresponds neatly, through the translations of [5], 

tempting alternative appears to be to use the weak modal fi-calculus |15| instead of CTL1 X . This 
is the modal /x-calculus of Kozen [12| with weak action modalities {{a}} and [a]] instead of (a) and [a] in 
order to abstract from internal activity. However, as observed in [15], this logic cannot distinguish states 
that are weakly bisimilar, and hence, contrary to what is suggested in the introduction of [15], lacks the 
expressiveness of CTL1 X . 
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with CTL* on Kripke structures. However, whereas abstracting from the notion of state in 
CTL* can be done elegantly by removing the next state modality X from the language, in 
ACTL* this additionally requires parametrising the until-mod&lity by two action formulas 
[3]. Doing this would make the resulting logic ACTL^ X appear less than a wholly canonical 
action-based incarnation of CTL1 X , and the reader might wonder whether the failure of 
ACTI_1 X to generate an equivalence on LTSs that is a congruence for parallel composition 
would be due to it being an imperfect rendering of CTI_1 X in the action-based world. 

By presenting our analysis directly for CTI_1 X , we make clear that this is not the 
case, and the problem stems from CTL^ X itself. Having to work in both LTSs and Kripke 
structures, with translations between them, appears to be a small price to pay. In addition, 
we feel that in many applications, such as process algebra with data, in may be preferable 
to work directly in a model of concurrency that features both state and action labels, and 
thus benefits from the ability to smoothly combine LTSs and Kripke structures |16j . 

Nevertheless, all our work applies just as well to ACTI_1 X , with the very same problems 
and the very same solutions. 

At the end of the paper we briefly consider Linear Temporal Logic without the next 

state modality (LTI x ). The equivalence induced by the validity of LTI x -formulas is not 

a congruence for interleaving parallel composition either. The coarsest coarsest congruence 

included in the equivalence induced by the validity of LTI x -formulas is obtained much in 

the same way as the coarsest congruence included in the equivalence induced by the validity 

of CTI x -formulas. Adding the oo-modality to LTI x , however, yields a logic that induces 

a strictly finer equivalence than the obtained congruence. 

2. CTLI X AND STUTTERING EQUIVALENCE 

We presuppose a set AP of atomic propositions. A Kripke structure is a tuple (S, Jzf, — >) 
consisting of a set of states S, a labelling function J£ : S — > 2 AP and a transition relation 
— > C S x S. For the remainder of the section we fix a Kripke structure (S,Jif, — >). 

A finite path from s is a finite sequence of states So,...,s n such that s = sq and 
Sk — * Sk+i for all < k < n. An infinite path from s is an infinite sequence of states 
80)81)82, ••• such that s = so and Sk — ► Sfc+i for all k G u. A path is a finite or infinite 
path. A maximal path is an infinite path or a finite path sq, . . . , s n such that -i3a'. s n — * s'. 
We write it > tt' if the path tt' is a suffix of the path tt, and tt > tt' if tt > tt' and tt ^ tt'. 

Temporal properties of states in S are defined using CTL1 X formulas. 

Definition 2.1. The classes of CTL1 X state formulas and of CTL1 X path formulas are 
generated by the following grammar: 

<p ::= p | -up | A $' | 3tp V :: = V 9 I ~^ I A I V> U ip 

with p G AP, ip G C $, ip e * and ^' C fy. 

In case the cardinality of the set of states of our Kripke structure is less than some infinite 
cardinal k0 we may require that \&'\ < k and l^'l < k in conjunctions, thus obtaining a set 
of formulas rather than a proper class. Normally, S is required to be finite, and accordingly 
CTL1 X admits finite conjunctions only. 



In fact it suffices to require that for every state s the cardinality of the set of states reachable from s is 
less than k. 
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Difference between a) ~dbs an d b) 
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Definition 2.2. We define when a CTI_1 X state formula ip is valid in a state s (notation: 
s \= <p) and when a CTI_1 X path formula ip is valid on a maximal path tt (notation: tt \= ip) 
by simultaneous induction as follows: 

- s \= p iff p e Jz^s); 

- s \= -xp iff s ty= <p; 

- s \= f\ $' iff s \= tp for all (p € 

— s \= 3ip iff there exists a maximal path tt from s such that tt \= ip; 

— tt \= cp iff s is the first state of 7r and s |= </p ; 

— tt \= —up iff 7r ^= ip; 

- vr |= /\ iff 7r |= V for all -0 G and 

— tt \= ip U ip' iff there exists a suffix tt' of 7r such that tt' \= ip', and tt" (= ^ for all 

7T > 7r" > 7r'. 

A formula ip \J ip' says that, along a given path, ^ holds until ip' holds. One writes T for 
the empty conjunction (which is always valid), Ftp for T U ip ( ll ip will hold eventually") and 
Gip for — ip — 1"0 ( ll ip holds always (along a path)"). 

The above is the standard interpretation of CTI_1 X 0[3], but extended to Kripke structures 
that are not required to be total. Following [5], this is achieved by using maximal paths in 
the definition of validity of CTI_1 X formulas, instead of the traditional use of infinite paths 
[3 [3]. The resulting definition generalises the traditional one, because for total Kripke 
structures a path is maximal iff it is infinite. 

An equivalent way of thinking of this generalisation of CTI_1 X to non-total Kripke 
structures is by means of a transformation that makes a Kripke structure K total by the 
addition of a self-loop s — ► s to every deadlock state s, together with the convention that a 
formula is valid in a state of K iff it is valid in the same state of the total Kripke structure 
obtained by this transformation. It is not hard to check that this yields the same notion of 
validity as our Definition 12. 21 

The divergence blind interpretation of [5] (notation: s \= db (p and tt \= db ip) is obtained 
by dropping the word "maximal" in the fourth clause of Definition 12. 21 In contrast, we 
call the the standard interpretation divergence sensitive, because it does not abstract from 
divergences, i.e., infinite paths consisting of states with the same label. For instance, in 
Figure [l^i we have t \= 3Gp, due to the divergence t,t,t,. . . , whereas u 3Gp. Under the 
divergence blind interpretation there is no formula distinguishing these two states. 



Definition 2.3. A colouring is a function C : S — > C, for C any set of colours. 
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Given a colouring C and a (finite or infinite) path ir = so, s\,S2, ■ ■ ■ from s, let C(ir) be 
the sequence of colours obtained from C(sq),C(si),C(s2), • • • by contracting all its (finite or 
infinite) maximal consecutive subsequences C, C, C, . . . to C. The sequence C(n) is called 
a C-coloured trace of s; it is complete if it is maximal. 

A colouring C is [fully] consistent if two states of the same colour always satisfy the 
same atomic propositions and have the same [complete] C-coloured traces. Two states s and 
t are divergence blind stuttering equivalent, notation s ~dbs t, if there exists a consistent 
colouring C such that C(s) = C(t). They are (divergence sensitive) stuttering equivalent, 
notation s ~ s t, if there exists a fully consistent colouring C such that C(s) = C(t). The 
difference between ~dbs an d ~ s is illustrated in the following example. 

Example 2.4. Consider the Kripke structure and its colouring depicted in FigureQJi. This 
colouring is consistent, implying s ~dbs t ~dbs u and x ~dbs V, but it is not fully consistent 
because state t has a complete trace while u does not. Note that t has, due to the 
self-loop, a complete coloured trace that consists of just the colour of a p-labelled state, 
whereas the unique complete coloured trace of u contains the colour of a (/-labelled state 
too. Since a consistent colouring assigns different colours to states with different labels, 
every fully consistent colouring must assign different colours to states t and u, i.e. it must 
be that t tfc s u. One such colouring is given in Figure [lb. This colouring shows that x ~ s y. 

Lemma 2.5. Let C be a colouring such that two states with the same colour satisfy the 
same atomic propositions and have the same C-coloured traces of length two. Then C is 
consistent. 

Proof. Suppose C(sq) = C(to) and Co, C±, C2, • • • is an infinite coloured trace of sq. Then, 
for i > 0, there are states Sj and finite paths 7Tj from Sj_i to Sj, such that C(iTi) = C_i, C%. 
With induction on i > we find states ti with C(sj) = C(U) and finite paths pi from 
to ti such that C(pi) = Cj-i, C%. Namely, the assumption about C allows us to find pi given 
U-i, and then ti is defined as the last state of p^. Concatenating all the paths pi yields an 
infinite path p from to with C(p) = Co, C\, C2, . . . . 

The case that C(so) = C(to) and Co, . . . , C n is a finite coloured trace of so goes likewise. 

□ 

Lemma 2.6. Let C be a colouring such that two states with the same colour satisfy the 
same atomic propositions and have the same C-coloured traces of length two, and the same 
complete C-coloured traces of length one. Then C is fully consistent. 

Proof. Suppose C(s) = C(t) and a is a complete C-coloured trace of s. Then a = C(n) for 
a maximal path n from s. By Lemma 12.51 a is also a C-coloured trace of t. It remains to 
show that it is a complete C-coloured trace of t. Let p be a path from t with C(p) = a. If p 
is infinite, we are done. Otherwise, let t' be the last state of p. Then C(i') is the last colour 
of g. Therefore, there is a state s' on tt such that the suffix tt' of it starting from s 1 is a 
maximal path with C(tt') = C(s') = C{t'). By the assumption about C, C(t') must also be a 
complete C-coloured trace of t', i.e. there is a maximal path p' from t! with C(p') = C{t'). 
Concatenating p and p 1 yields a maximal path p" from t with C(p") = a. □ 

The following two theorems were proved in [5] and [3], respectively, for states s and t in a 
finite Kripke structure. Here we drop the finiteness restriction. 

Theorem 2.7. s ~dbs t iff s\=db<£ & t^db^P f or a ^ CTL1 X state formulas (p. 
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Proof. "Only if": Let C be a consistent colouring. With structural induction on p and ip 
we show that 

C(s) = C(t) =>- (s\= db cp & t\= db ip) and C(tt) = C(p) ^ (Tr\= db ip ^ p\= db ip). 

The case p = p for p G AP follows immediately from Definition 12.31 The cases ip = —up' 
and p = f\ follow immediately from the induction hypothesis. 

Suppose C(s) = C(t) and s \= db 3tp. Then there exists a path tt from s such that tt \= db ip. 
C(ir) is a coloured trace of s, and hence of t. Thus there must be a path p from t with 
C(tt) =C(p). By induction, p^^?/'. Hence, t\= db 3ip. 

The case ^ € $ follows since the first states of two paths with the same colour also have 
the same colour. The cases ip = -up and ip = f\ ^' follow immediately from the induction 
hypothesis. 

Finally, suppose C(ir) = C(p) and tt \= db ip U ip'. Then there exists a suffix tt' of tt such 
that tt' \= db ip' and tt" \= db ip for all tt > tt" \> tt'. As C(tt) = C(p), there must be a suffix 
p' of p such that C(tt') = C(p') and for every path p" such that p > p" D> p' there exists a 
path tt" with tt t> tt" > 7r' such that C(7r") = C(p"). By induction, this implies p' ^ rff) ^' 
and p" ^ for all p > p" D> p'. Hence p |=d& U 

"If": Let C be the colouring given by C(s) = {p G $ | s \= db p}. It suffices to show 
that C is consistent. So suppose C(s) = C{t). Trivially, s and t satisfy the same atomic 
propositions. By Lemma 12.51 it remains to show that s and t have the same coloured traces 
of length two. Suppose s has a coloured trace C, D. Let so, • • • , Sfc be a path from s such 
that C(si) = C for < i < k and C(s fc ) = D / C. Let 

Z// = {-u | there is a path from t to u and C{u) ^ C}, 
V = {v | there is a path from t to w and C(w) ^ D}. 

For every u G U pick a CTL1 X formula <p u G C — C(ii) (using negation on a formula in 
C(u) — C if needed), and for every v G V pick a CTI_1 X formula p' v £ D — C(v). Now 

« H«ft ^Aueu^u) U (A„eV<^) and ' as C ( s ) = C (*)> also * Nf> ^Aueu^u) U (A^y^)- 
Thus, there is a path to,. . . ,t£ from £ such that |=<y, Avev^'v and ^ Nrffe fKu&A^Pu f° r 
< j < £ It follows that i £ £ V and ^ £ W f or < j < I. Hence C(t e ) = D and C(tj) = C 
for < j < £, so C, D is also a coloured trace of t. □ 

Theorem 2.8. z_/f s |= <^=> t |= 99 /or all CTL1 X siaie formulas p. 

Proof. "Only if" goes exactly as in the previous proof, reading |= for \= db , but requiring C 
to be fully consistent and, in the second paragraph, the paths tt and p to be maximal and 
C(tt) to be a complete coloured trace of s and t. 

"If" goes as in the previous proof, but this time we have to show that C is fully consis- 
tent. Thus, applying Lemma 12.61 and assuming C(s) = C(t), we additionally have to show 
that s and t have the same complete coloured traces of length one. Let tt be a maximal 
path from s with C{tt) = C. Let 

U = {u I there is a path from t to u and C{u) ^ C}. 

For every u G U pick a CTI_1 X formula p u G C — C(-u). Now s |= 3G(/\ ueU p u ) and, as 
C(s) = C(t), also t \= 3G(/\ ueU p u ). Thus, there is a maximal path p from t such that 
t' \= /\ ue u p u for all states t' in p. It follows that t' Hence C(i') = C and thus 
C(p) = C. " □ 
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Since is an equivalence relation on predicates, we obtain the following corollary to The- 
orems 12.71 and 12.81 

Corollary 2.9. ~dbs and ~s « r e equivalence relations. □ 

Note that, for any colouring C, the C-coloured traces of a state s are completely determined 
by the complete C-coloured traces of s, namely as their prefixes. Hence, any colouring 
that is fully consistent is certainly consistent, and thus ~ s is a finer (i.e. smaller, more 
discriminating) equivalence relation than ~dbs- 

Above, the divergence blind interpretation of CTI_1 X is defined by using paths instead 
of maximal paths. It can equivalently be defined in terms of a transformation on Kripke 
structures, namely the addition of a self-loop s — > s for every state s|3 Now s ~dbs t holds 
in a certain Kripke structure iff s ~ s t holds in the Kripke structure obtained by adding 
all these self-loops. This is because the colour of a path doesn't change when self-loops are 
added to it, and up to self-loops any path is maximal. Likewise, s \=db m the original 
Kripke structure iff s |= <p in the modified one. 

Just like ~d6s can be expressed in terms of ~ s by means of a transformation on Kripke 
structures, by means of a different transformation, at least for finite Kripke structures, ~ s 
can be expressed in terms of ~d& s . This is done in [5], Definitions 3.2.6 and 3.2.7. 

3. Branching bisimulation equivalence in terms of coloured traces 

We presuppose a set A of actions with a special element r € A. A labelled transition 
system (LTS) is a structure (5, — ►) consisting of a set of states S and a transition relation 
— > C 5 x A x 5. For the remainder of the section we fix an LTS (S, — >). We write s —> s' 
for (s,a, s') € — ». 

A path from s is an alternating sequence sq, a\, s\, a-i, . . . of states and actions, ending 
with a state if the sequence is finite, such that s = so and Sk-i Sfc for all relevant 
k > 0. A maximal path is an infinite path or a finite path sq, cq, si, 02, ■ ■ ■ , a n , s n such that 
-<3a, s'. s n — ► s' . We write it > it' if the path tt' is a suffix of the path it, and it t> it' if 
7r > 7r' and 7T 7^ 7r'. 

Definition 3.1. A colouring is a function C : S 1 — > C, for C any set of colours. 

For 7T = so, ai, si, 02, . . . a path from s, let C(ir) be the alternating sequence of colours 
and actions obtained from C(sq), aq, C(si), 02, . . . by contracting all finite maximal con- 
secutive subsequences C,t,C,t, . . . ,r,C and all infinite maximal consecutive subsequences 
C, t,C,t, . . . to C. The sequence C(ir) is called a C-coloured trace of s; it is complete if 7r is 
maximal; it is divergent if it is finite whilst it is infinite. 

A colouring C is [fully] consistent if two states of the same colour always have the 
same [complete] C-coloured traces. Two states s and t are (divergence blind) branching 
bisimulation equivalent, notation s ±±& t, if there exists a consistent colouring C such that 
C(s)=C(t). 

They are divergence sensitive branching bisimulation equivalent, notation s ±±t t, if 
there exists a fully consistent colouring C such that C(s) = C{t). 

^ In the beginning of this section we proposed a transformation that adds a self-loop s > s merely 

to every deadlock state s. Both transformations make any Kripke structure total. However, whereas the 
previous transformation preserves the divergence sensitive interpretation of CTL1 X , the current one preserves 
the divergence blind interpretation, and expresses it in terms of the divergence sensitive one. 
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A consistent colouring preserves divergence if two states of the same colour always 
have the same divergent C-coloured traces. Two states s and t are branching bisimulation 
equivalent with explicit divergence, notation s ±±£ t, if there exists a consistent, divergence 
preserving colouring C with C(s) = C(t). 






Figure 2: Difference between a) ±±b, b) ±±^, and c) ±±r L . 



The difference between ±±b, ±±£, and ±±^ is illustrated in the following example. 



Example 3.2. Consider first the LTS and its colouring depicted in Figure [2^,. This colour- 
ing is consistent and we have s ±±b t ±±j, u ±±& v and x ±±b y ±±b z. It is not fully consistent 
because state t has a complete trace whereas u has not. It is easy to see that every fully 
consistent colouring must assign different colours to states t and u, and so that t ±^ u. 
One such colouring is given in Figure [2b and it shows that u ±±£ v and x ±±£ y ±±i z. Note, 
however, that this colouring, although fully consistent, does not preserve divergence. State 
v has a divergent trace a Q whereas u has not, and similarly state z has a divergent 
trace ^ whereas y has not. Any colouring that preserves divergence must, assign different 
colours to states u and v and to states y and z, meaning that u v and y tft.^ z. One 
such colouring is given in Figure [2b. It shows that x ±±£ y. In fact, these are the only two 
(different) states that are branching bisimulation equivalent with explicit divergence. 

In the definition of ±±^ above, consistency and preservation of divergence appear as two 
separate properties of colourings. Instead we could have integrated them by adding an extra 
bit (A) at the end of those finite coloured traces that stem from infinite paths. Likewise, 
±±^ could have been defined by adding such an extra bit at the end of those finite coloured 
traces that stem from maximal paths. 

Lemmas 12.51 and 12.61 about colourings on Kripke structures apply to labelled transition 
systems as well. The proofs are essentially the same. 

Lemma 3.3. Let C be a colouring such that two states with the same colour have the same 
C-coloured traces of length three (i.e. colour - action - colour). Then C is consistent. 

Lemma 3.4. Let C be a consistent colouring such that two states with the same colour have 
the same complete C-coloured traces of length one. Then C is fully consistent. 

Lemma 3.5. Let C be a consistent colouring such that two states with the same colour have 
the same divergent C-coloured traces of length one. Then C preserves divergence. 

Proof. Exactly like the proof of Lemma 12.61 but letting a be a divergent C-coloured trace 
of s; 7r,7r' infinite paths; C(t') a divergent C-coloured trace of t'; and p',p" infinite paths. □ 
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Branching bisimulation equivalence and branching bisimulation equivalence with explicit 
divergence were originally defined in Van Glabbeek & Weijland [TO]. There, only finite 
coloured traces are considered, and a consistent colouring was defined as a colouring with 
the property that two states have the same colour only if they have the same finite coloured 
traces. By Lemma 13.31 this yields the same concept of consistent colouring as Definition 13.11 
above. 

In [TO] , a consistent colouring is said to preserve divergence if no divergent state has the 
same colour as a nondivergent state. Here a state s is divergent if it is the starting point of 
an infinite path of which all nodes have the same colour. This is the case if s has a divergent 
coloured trace of length one. Now Lemma 13.51 says that the definition of preservation of 
divergence from [TO] agrees with the one proposed above. Hence the concepts of branching 
bisimulation and branching bisimulation with explicit divergence of [TOJ agree with ours. 

Theorem 3.6. ±±b, ±±£ and ±±£ are equivalence relations. 

Proof. We show the proof for ±±&; the other two cases proceed likewise. 

We will regard any equivalence relation on S as a colouring, the colour of a state being 
its equivalence class. Conversely, any colouring can be considered as an equivalence relation 
on states. 

The diagonal on S (i.e., the binary relation | s € S}) is a consistent colouring, 

so ±±b is reflexive. That ±±b is symmetric is immediate from the required symmetry of 
colourings. 

To prove that ±±b is transitive, suppose s ±±b t and t ±±b u. So there exist consistent 
colourings C and T> with C(s) = C{t) and T>(t) = T>{u). Let £ be the finest equivalence 
relation containing C and T>. Then £(s) = £{t) = £(u). It suffices to show that £ is 
consistent. 

First of all note that the £-colour of a state is completely determined by its C-colour, 
as well as by its D-colour: C(p) = C(q) => £{p) = £{q) and T>(jp) = V{q) => £ (p) = £{q) for 
all p,q £ S. Thus, if two states have the same sets of C-coloured traces or the same sets of 
P-coloured traces, they must also have the same sets of ^-coloured traces. 

Suppose £{p) = £{q). Then there must be a sequence of states (pi)o<i< n such that 
p = po, q = p n and for < i < n we have either C{p{) = C{pi + \) or T>(pi) = T>(pi + \). As C 
and T> are consistent colourings, pi and Pi+\ have the same C-coloured traces or the same 
P-coloured traces. In either case they also have the same f-coloured traces. This holds for 
< i < n, so p and q have the same £ -coloured traces. Thus £ is consistent. □ 

Lemma 3.7. Let C be a consistent colouring and s G S. Then the complete C-coloured 
traces of s consist of the C-coloured traces of s that are infinite, divergent, or maximal, in 
the sense that they cannot be extended. 

Proof. By definition, infinite and divergent C-coloured traces of s are complete. Let a be a 
maximal C-coloured trace of s, and let tt be a path from s such that C(tt) = a. Let tt' be 
an extension of tt to a maximal path. As a is a maximal C-coloured trace, in the sense that 
it cannot be extended, we have C(tt') = a. Hence a is a complete C-coloured trace of s. 

Now let a be a complete C-coloured trace of s that is not infinite, nor a divergent 
C-coloured trace of s. In that case a = C(tt) for tt a finite maximal path from s. Let t 
be the last state of tt. We have ->3a,t'. t — — > t! . Suppose, towards a contradiction, that a 
is not maximal, i.e. there is a path tt' from s such that C(tt') is a proper extension of a. 
Then there must be a state u on tt' with C(u) = C(t), such that u has a coloured trace a' 
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of length > 1, which is a suffix of C(n'). As C is consistent, a' is also a coloured trace of t, 
contradicting -i3o, t' . t -^-> t'. □ 

As for Kripke structures, for any colouring C, the C-coloured traces of a state s are the 
prefixes of the complete C-coloured traces of s. Moreover, Lemma [3771 savs that the complete 
C-coloured traces of a state s are completely determined by the C-coloured traces of s 
together with the divergent C-coloured traces of s. Hence, any colouring that is consistent 
and preserves divergence is also fully consistent. Therefore, ±±^ is finer than ±±£ , which is 
finer than ±±5. 

The difference between ±±b and t±^ is that only the latter sees the difference between 
those maximal finite coloured traces that stem from finite paths (ending in deadlock) and 
those that stem from infinite paths (ending in livelock). For deadlock-free LTSs (having no 
states s with ->3a, s'. s s') the equivalences ±±£ and ±±^ coincide. 

4. Translating between Kripke structures and labelled transition systems 

We presuppose a set A of actions with a special element r € A, and a set AP of atomic 
propositions. A doubly labelled transition system (L 2 TS) is a structure (S, _£f, — ►) that consists 
of a set of states S, a labelling function S£ ' : S — > 2 AP and a labelled transition relation 
— > C S x A x S . From an L 2 TS one naturally obtains an LTS by omitting the labelling 
function Jzf, and a Kripke structure by replacing the labelled transition relation by one from 
which the labels are omitted. We call these the LTS or Kripke structure associated to the 
L 2 TS. An L 2 TS (S, -Sf, — ►) is consistent if it satisfies the following three conditions: 

(i) if s t, then (^f(s) = Sflt) iff a = r); 

(ii) if s -±*t, s' t' and £{s) = JS^s 7 ), then jjf(t) = if(f ); and 

(iii) if s -2-> i, s' JSf(s) = jSf(s') and J2(t) = J^t*), then a = 6. 

Consistent L 2 TSs were introduced in De Nicola & Vaandrager [5] for studying relationships 
between notions defined for Kripke structures and notions defined for LTSs. Condition |[|) 
states that a transition is unobservable in the underlying Kripke structure (i.e., a transition 
between states with the same label) if and only if it is an unobservable transition in the 
underlying labelled transition system (i.e., a r-transition). Condition (jn|) expresses that 
the label of the target state of a transition is completely determined by the label of the 
source state and the label of the transition. Consequently, the label of a state t reachable 
from a state s is completely determined by the label of s and the sequence of labels of the 
transitions leading from s to t. Condition ([m|) says that the label of a transition is fully 
determined by the labels of its source and target state. 

Example 4.1. The three L 2 TSs from Figure [3^, are not consistent because they violate 
conditions (i), (ii), and (iii), respectively; the L 2 TS in Figure [3)3 is consistent. 

Many semantic equivalences on LTSs, such as ±±b, ±±^ and ±±^ , are considered in the 
literature; for an overview see [8]. 

Definition 4.2. Any semantic equivalence ~ on LTSs extends to L 2 TSs by declaring, for 
all states s and t in an L 2 TS, that s ~ t iff Jzf(s) = -%{t) and s ~ t in the associated LTS. 

Any semantic equivalence ~ on Kripke structures extends to L 2 TSs by declaring, for all 
states s and t in an L 2 TS, that s ~ t iff s ~ t in the associated Kripke structure. 
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Figure 3: a) Three inconsistent L 2 TSs and b) a consistent L 2 TS. 



The following theorem was proved in [5] for finite consistent L 2 TSs. Here we drop the 
finiteness restriction. 

Theorem 4.3. On a consistent L?TS, ~dbs equals ±±b, and w s equals ±±£. 

Proof. Suppose s ~dbs t [° r s « ( t]. Then there is a colouring C on the states of the L 2 TS 
that is [fully] consistent on the associated Kripke structure K and satisfies C(s) = C(t). By 
definition, this entails jSf(s) = -§f(t). It remains to show that C is [fully] consistent on the 
associated LTS L. So let C(p) = C(q), and let a be a [complete] coloured trace of p in L. 
Using symmetry, it suffices to show that a is also a [complete] coloured trace of q in L. Let 
p be obtained by omitting all actions from the alternating sequence of states and actions 
a. Using direction "only if" of clause (i) in the definition of a consistent L 2 TS, p must be 
a [complete] coloured trace of p in K. As C is [fully] consistent on K, p must also be a 
[complete] coloured trace of q in K. Finally, using clauses (i) "only if" and (iii), a must be 
a [complete] coloured trace of q in L. 

Now suppose s ±±f, t [or s ±±£ t]. Then Jz?(s) = JO(t) and there is a colouring C on 
the states of the L 2 TS, with C(s) = C(t), that is [fully] consistent on L. Let T> be the 
colouring given by V{p) := (C(p),JC(p)) for all p € S, so that T>(p) = T>(q) <^ [C(p) = C(q) A 
Jz?(p) = ^f{q)]- It suffices to show that D is [fully] consistent on K. The requirement 
v\p) = V(q) => j£f(p) = J%) is built into the definition of V. So let V{p) = V(q), and let 
v be a [complete] D-coloured trace of p in K. Using symmetry, it suffices to show that v 
is also a [complete] £>-coloured trace of q in K. Using clause (i) "only if", there must be 
a [complete] P-coloured trace p of p in L such that v is obtained from p by omitting its 
actions. Let a be the [complete] C-coloured trace of s in K obtained from p by omitting the 
second component of each P-colour of a state. As C(p) = C(q) and C is [fully] consistent on 
L, a must also be a [complete] C-coloured trace of q in L. By applying clauses (i) "if" and 
(ii) one derives that p is a [complete] P-coloured trace of q in L. Therefore, again using 
clause (i) "only if", v must be a [complete] D-coloured trace of q in K. □ 

Observation 4.4. For every Kripke structure K there exists a consistent L^TS D such that 
K is the Kripke structure associated to D. 

One way to obtain D is to label any transition s — * t by the pair (_Sf(s), (or simply 

by jSf(t)) when jSf(s) / Jgf(t), or r when ££{s) = ££(t). An alternative is the label (Jz?(s) - 
if(t),JSfl(t) - -Sf(s)), where (0,0) is identified with r. 

Unlike the situation for Kripke structures (Observation 14.4]) it is not the case that every 
LTS can be obtained as the LTS associated to a consistent L 2 TS. A simple counterexample 
is presented in [5]. Thus, in encoding LTSs as L 2 TSs, it is in general not possible to keep 
the set of states the same. 

Definition 4.5. An LTS-to-L 2 TS transformation r\ consist of a function taking any LTS L to 
a consistent L 2 TS rj(L), and in addition taking any state s in L to a state n(s) in r/(L). Such 
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a transformation should at least satisfy s ±±£ t 4^ r)(s) ±±j, rj(t), that is, it preserves ("=>") 
and reflects ("<=") divergence sensitive branching bisimulation equivalence, and likewise for 
±± 6 , and ±±^. 

A common LTS-to-L 2 TS transformation is presented in [5]. It takes an LTS L = (S, — *■) to 
an L 2 TS r/(L) by inserting a new state halfway along any transition s t with a ^ r. This 
new state is labelled {a}, and each of the two transitions replacing s — > i (from s to the 
new state and from there to t) is labelled a. Transitions s i are untouched. One takes 
r/(s) = s for s £ S and all such states from L are labelled with the same dummy symbol 
in i](L). (Consult [5 J for the formal definition and examples.) In [5J it is shown that this 
transformation preserves and reflects ±±^; the same proof applies to ±±& and ±±^ . 

An LTS-to-L 2 TS transformation rj yields an LTS-to-Kripke-structure transformation 
that we also call rj, namely the one transforming an LTS L into the Kripke structure 
associated to r](L). In fact, using Theorem 14.31 and Observation 14.41 any LTS-to-Kripke- 
structure transformation n that preserves and reflects the required equivalences can be 
obtained in this way. 

An LTS-to-L 2 TS transformation rj makes it possible to define when a state s in an LTS 
satisfies a CTL^1 X formula ip. Namely, one defines s ^ ip iff r](s) \= ip. This way, CTI_1 X 
can be used as temporal logic on LTSs. 

Theorem 4.6. Let s and t be states in an LTS, and let rj be an LTS-to-L 2 TS transformation. 
Then 

s ±±b t iff s \=\ b f t |=^ 6 ip for all CTI_1 X state formulas ip 
s ±±£ t iff s \= ri ip ^ t \= v (p for all CTL1 X state formulas ip. 

Proof. This is an immediate consequence of the requirement that rj preserves and reflects 
±±b and ±±^, in combination with Theorems E21 ESI and H31 □ 



5. Parallel composition 

For a behavioural equivalence to be useful in a process algebraic setting, it is essential that 
it is a congruence for the operations under consideration. In this section we prove that ±±^ 
and ±±b are congruences for the merge or interleaving operator \\. This operator is often used 
to represent (asynchronous) parallel composition. However, ±±£ fails to be a congruence for 
|| . We characterise the least discriminating congruence that makes all the distinctions of 
±±^ as ±±^- In the following definition we provide the necessary and sufficient conditions 
for a binary operation on the set of states of an LTS to qualify as a merge. 

Definition 5.1. A binary operation || on the states of an LTS is a merge if for all s, t, u € S 
and for all a € A it holds that s || t —* u iff 

— there exists s' G S such that s — > s' and u = s' \\ t; or 

— there exists t 1 G S such that t — ► t! and u = s \\t'. 

The structural operational semantics of any process calculus that includes an operation for 
pure interleaving generates an LTS with merge. Moreover, any LTS can be augmented to 
an LTS with merge, for instance through a transition system specification [Ij that includes 
all states of the original LTS as constants and a binary operation || with the usual structural 
operational rules for interleaving parallel composition. Henceforth we deal with LTSs with 
a merge ||. 
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Figure 4: ±±£ is not a congruence for parallel composition 

Theorem 5.2. The relation ±±^ is a congruence for \\, i.e., if s tip and u ±±frv, then 
s || u ±±^ i || v. 

Proof. Let 72- be the reflexive and transitive closure of the relation 

{(p\\q,p'\\q') \p±±£p' kq±±£ q'} . 

Let C be the function that assigns to each state its equivalence class with respect to 7Z. 
It suffices to prove that C is a consistent divergence preserving colouring. So suppose 
C(r) = C(r'). Using Lemmas 13.31 and 13.51 it suffices to show that r and r' have the same 
C-coloured traces of length three and the same divergent C-coloured traces of length one. It 
is straightforward, but notationally cumbersome, to establish this in the special case that 
r = p || q and r' = p' || q' with p ±±£ p' and q ±±^ q' . The general case then follows by 
induction on the length of a chain of pairs from the relation displayed above showing that 
the pair (r, r') is in its reflexive and transitive closure. □ 

A similar proof shows that also ±±& is a congruence for ||. However, ±±£ is not. 

Example 5.3. Consider an LTS with merge that contains a state without outgoing 
transitions, a state AO with a r-loop (an outgoing r-labelled transition to itself) and no 
other outgoing transitions, and a state a with a — — > and no other outgoing transitions. 
(Note that such an LTS is, e.g., generated by the structural operational semantics of CCS 
with recursion.) Then ±±£ AO. Figured^, shows the fragment consisting of the states 0, 
AO and a of the LTS under consideration. Figure 0b shows a fragment where the merge is 
applied. Observe that || a ±-/t£ AO || a. The reason is that AO || a has a maximal path that 
stays in its initial state, whereas || a has not. This problem does not apply to ±±6 because 
|| a ±±b AO || a. It does not apply to ±±^ because ±^ AO. 

The example above involves a deadlock state, namely 0. This is unavoidable, as on LTSs 
without deadlock ±±b coincides with ±± A (cf. Section [3|) and hence is a congruence for ||. 

The standard solution to the problem of an equivalence ~ failing to be a congruence for 
a desirable operator Op is to replace it by the coarsest congruence for Op that is included 
in ~ [13j. Applying this technique to the current situation, the coarsest congruence for || 
included in ±±£ turns out to be ±±j^- 

Theorem 5.4. ±± A is the coarsest congruence for \\ that is included in ±±^0 

^Strictly speaking, we merely show that ±±^ is the coarsest congruence for || that is included in ±±£ 
and satisfies the Fresh Atom Principle (FAP). This principle, described in [5], is satisfied by a semantic 
equivalence ~ on LTSs when ~ on an LTS L can always be obtained as the restriction of ~ on any given 
larger LTS of which L is a subLTS, and whose transition labels may be drawn from a larger set of actions 
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Proof. We have already seen that ±±^ is a congruence for ||, and that it is included in ±±£. 
To show that it is the coarsest, we need to show that if ~ is any congruence for || that 
is included in ±±u, then ~ is included in ±±A . So let ~ be such a congruence and assume 
s ~ t. We need to show that s ±±^ t. Let a be an action that does not occur in any path 
from s or t. Since ~ is a congruence for ||, we have s || a ~ 1 1| a, where a is the state from 
Example 15,31 As ~ is included in ±±£ we obtain s \\ a ±±^ t\\ a. Let C be a fully consistent 
colouring with C(s||a) = C(i||a). Define the colouring V by T>(jp) = C(p\\a) for p a state 
reachable from s or t, and T>{p) = p otherwise. Then T>(s) = T){t). It suffices to show that 
V is consistent and preserves divergence, implying s ±±^ t. 

So suppose T>(p) = V(q) with p ^ q. Then C(p||a) = C(g||a). 

First we show that p and q have the same P-coloured traces. Let a be a ©-coloured 
trace of p. Then a is also a C-coloured trace of p || a. As p \\ a and q \\ a have the same 
complete C-coloured traces, they surely have the same C-coloured traces (for the coloured 
traces of a state are the prefixes of its complete coloured traces). Hence a is a C-coloured 
trace of q \\ a. As p is reachable from s or t, the action a cannot occur in a. Therefore, 
a must also be a D-coloured trace of q. By symmetry, any D-coloured trace of q is also a 
P-coloured trace of p, and hence p and q have the same P-coloured traces. 

Next, we show that p and q have the same divergent P-coloured traces. So let a be a 
divergent D-coloured trace of p. Then a is also a divergent C-coloured trace of p || a. Hence 
a is a complete C-coloured trace of p || a and thus also of q || a. As the action a cannot occur 
in a, it is not possible that a stems from a finite maximal path from q \\ a. Therefore, a 
must be a divergent C-coloured trace of q || a, and hence a divergent D-coloured trace of q. 
Again invoking symmetry, p and q have the same divergent D-coloured traces. 

It follows that V is consistent and preserves divergence; thus s ±±^ t. □ 

So if one is in search of a semantics such that, for s and t states in an LTS, 

— if there is a CTI_1 X state formula ip such that s \= v ip but t ^ <p, then s and t should 
be distinguished, 

— if s and t can be distinguished after placing them in a context _ |j u for some u, then 
they should be distinguished to start with, and 

— no two states should be distinguished unless this is required by the previous two condi- 
tions, 

then branching bisimulation semantics with explicit divergence is the answer, for s ±±f t iff 
for all u and all ip E $ we have s || u \= v ip <J=> t \\ u \= v ip. 

6. Adding deadlock detection to CTI_1 x 

We saw above that there are important properties of states s in an LTS that can be expressed 
in terms of a context _ || u and a CTI_1 X formula ip, namely as s\\u 1=^ (p, but that cannot 
be directly expressed in terms of CTL1 X . This is somewhat unsatisfactory, and therefore 
we propose an extension of CTI_1 X in which this type of property can be expressed directly. 
We add a path modality oo that is valid on a path n iff tt is infinite. This path modality, 

than those of L. FAP allows us to use the state a that figures in the proof of Theorem 15.41 regardless of 
whether such a state, or the fresh action a, occurs in the given LTS or not. FAP is satisfied by virtually 
all semantic equivalences documented in the literature, and can be used as a sanity check for meaningful 
equivalences [9]. 
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or actually an equally expressive one, was studied prior by Kaivola & Valmari [TT] in the 
context of Linear Temporal Logic without the next state operator — see Section [9l 

Definition 6.1. The syntax of CTL*^ is given by 

(p ::= p | -up | A <£' | 3ip ip ::= ip \ -*ip | A \P' | ip U ip \ oo 

with p G AP, ip G <3?' C ip G an d vl/' c 
Validity is defined as in Definition 12.21 but adding the clause 
— tt \= oo iff the path tt is infinite. 

We write 3°°ip for 3(oo A ip); this formula holds in a state s if there exists an infinite path 
tt from s such that tt \= ip. Likewise \/°°ip = V(oo — > ip) holds in s if for all infinite paths 
tt from s we have that s \= ip. These constructs are dual, in the sense that s \= -i3°°^ iff 
s \= V°°^V- 

The negation of oo holds for a maximal path tt iff tt is finite, and hence ends in a 
deadlock. It is tempting to simply extend CTL*_ X with a state formula 5 such that s \= 5 iff 
-Gs'. s — > s' . This would make it possible to express oo as ->F5. However, this would make 
the resulting logic too expressive: the two states in the Kripke structure o — > o (with the 
empty labelling) are branching bisimulation equivalent with explicit divergence, yet they 
would be distinguished by this extension of CTI_1 X , as only the last state satisfies 5. 

CTLj^ is an extension of CTL^ X . There is no need for a similar extension of CTL*, for 
5 can be expressed as -dXT. In particular, CTL^, is not more expressive than CTL*. 

The definition of branching bisimulation equivalence with explicit divergence lifts easily 
to Kripke structures: s ±±^ t, for s and t states in a Kripke structure, iff there exists a 
consistent and divergence preserving colouring C such that C(s) = C(t). Here divergence 
preserving is defined as in Section [3j by Lemma 13.51 this time applied to Kripke structures, 
a consistent colouring preserves divergence iff, for any states s and t, C(s) = C(t) implies 
for any infinite path tt from s with C(tt) = C(s) 
there is an infinite path p from t with C(p) = C(t). 

Theorem 6.2. s ±±^ t iffs\=(p<=?t\=(p for all CTLj^ state formulas p. 

Proof. "Only if" goes as in the proof of Theorem 12.71 reading \= for \= db , requiring C to be 
consistent and divergence preserving, and, in the second paragraph, requiring the paths tt 
and p to be maximal and C{tt) to be a complete coloured trace of s and t. Here we use that 
if a colouring is consistent and divergence preserving, then two states with the same colour 
must also have the same complete coloured traces. This follows from Lemma |3.7[ this time 
applied to Kripke structures. 

There is one extra case to check. Suppose C(tt) = C(p) and tt \= oo, but p ft= oo. Then 
the last state t of p has the same colour C{t) as one of the states s of tt. Let tt' be the 
(infinite) suffix of tt starting at s. Then C{tt') = C{s) = C(t), yet there is no infinite path 
from t, contradicting that C is divergence preserving. 

"If" goes as in the proof of Theorem 12.71 but this time we also have to show that C 
preserves divergence. So let s and t be states and tt an infinite path from s with C{tt) = 
C(s) = C(t) = C. Let 

U = {u | there is a path from t to u and C(u) ^ C}. 
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For every uG U pick a CTLj^ formula ip u G C — C(u). Now s \= 3°°G(/\ ugW tp u ) and, as 
C(s) = C(t), also t \= 3°°G(/\ ugW ip u ). Thus, there is an infinite path p from t such that 
t' \= hu^utPu for all states t' in p. It follows that t' U. Hence C(t') = C and thus 
C(p) = C. □ 



7. Adding deadlock detection to CTI x 

CTI x is the sublogic of CTI_1 X that only allows path formulas of the form <p U ip' and 

—>(<p U ip'), where ip and ip' are state formulas. Equivalently, it can be defined as only 
allowing path formulas of the form ip U ip' and G(p, for we have 

s^BGp iff »(=3n(TU^) 
s (= 3-.(y> U p') iff s h 3[( V) U -.(p V p')} V 3G V . 

Theorems 12.71 and 12.81 are also valid when using CTI x instead of CTI_1 X , for their proofs 

use no other temporal constructs than 3(p U ip') and 3Gp. 

A natural proposal for CTLqo would be to add the path quantifier 3°° to CTI x , thus 

yielding the syntax 

ip ::= p | ^<p | A$' I U y?) | 3°°(p\Jp)\ 3Gp \ 3°°Gp . 

However, we can economise on that, for 

s \= 3°°(< / ? U cp') iff s |= 3(cp U (p' A 3°°GT)) 

s H 3G^ iff s H 3°°G^ V 3(y> U (VGp)) 
where VGy? is an abbreviation for _, 3(T U ^ip). Hence CTLqo can be given by the syntax 

ip ::= p | -Mp | /\$' | 3((/?U(/?)| 3°°G^ . 

It follows immediately from the proof of Theorem 16.21 that this language is sufficiently 
expressive to characterise branching bisimulation equivalence with explicit divergence: 

Theorem 7.1. s ±±^ tiffs\=(p^t\=<p for all CTLqo formulas p>. □ 

It is tempting to simply write 3°°G as 3G; that is, to keep the same syntax as for CTI x but 

define its semantics in such a way that 3(tp U ip') asks merely for a finite path, whereas 3Gp 

asks for an infinite one. This deadlock sensitive interpretation of CTI x is an alternative 

for the interpretation of [5j. It is consistent with the classical interpretation of CTL [3 [3], 
as for total Kripke structures there is no difference between 3°° and 3. 

8. The deadlock extension of Kripke structures 

Following De Nicola & Vaandrager [5] we have applied CTI_1 X to non-total Kripke structures 
by using maximal instead of infinite paths in the definition of validity. As remarked in 
Section [2j the same effect can be obtained by transforming a non-total Kripke structure 
into a total one by adding a self- loop s — > s to every deadlock state s, and applying the 
standard CTI_1 X semantics to the resulting total Kripke structure. However, the latter does 
not apply to CTLj^, because the self-loop s — > s invalidates the formula 3-ico that holds 
in any deadlock state s. Here we define another transformation on Kripke structures that 
makes every Kripke structure total, and allows the encoding of CTL^ in terms of CTL^ X . 
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Figure 5: Deadlock extension of a Kripke structure 



Definition 8.1. The deadlock extension D(K) of a Kripke structure K is obtained by the 
addition of a fresh state s$, labelled by the fresh atomic proposition 8, together with a 
transition from s$ and from every deadlock state in K to sg. 

An example of this transformation is depicted in Figure [5j 

Theorem 8.2. Let K be a Kripke structure, with states s and t. Then s ±±^ t within the 
Kripke structure K iff s ±±^ t within the Kripke structure D(K). 

Proof. "If": Let D be a consistent and divergence preserving colouring on D(K). Note that 
D(ss) 7^ T>(s) for any state s ^ s$ in D(K). Let C be the restriction of T> to the states of K. 
Then the C-coloured traces of a state s in K equal the P-coloured traces of s in -D(K), but 
with the colour T>(s$) omitted from the end of such traces. It follows that C is consistent. 
It preserves divergence by Lemma 13.51 

"Only if": Let C be a consistent and divergence preserving colouring on K. Extend it 
to a colouring T> on D(K) by assigning a fresh colour 8 to the extra state s$ of D(K). It 
suffices to check that T> is consistent and divergence preserving. 

Claim. From any state s in K with the same colour as a deadlock state t in K there 
must be a path ir to a deadlock state such that C(tt) = C(t). 

Proof of claim. As t has no C-coloured traces of length two, neither does s, and as t has 
no divergent C-coloured traces, neither does s. Thus, all paths from s are finite and only 
pass through states with colour C(t). 

Application of the claim. The P-coloured traces of length two of a state s ^ s$ in D{K) 
are the C-coloured traces of length two of the state s in K, together with the trace C{t)8 in 
case s has the same colour as a deadlock state t in K. Thus T> is consistent by Lemma 12.5} 
and preserves divergence by Lemma 13.51 □ 

The "if" -direction of the theorem, with a similar proof, also applies to ~ s and ~dbs, 
but the "only if'-direction does not. As a counterexample, let K be a Kripke structure with 
a deadlock state d (having no outgoing transitions) and a livelock state I (with a self-loop 
as its only one outgoing transition); neither state satisfies any atomic propositions. In K 
we have d ~ s and hence d ~dbs h but in D(K) we have d ^dbs h an d hence d I. 

Considering that Kripke structures of the form D(K) are total, and that on total Kripke 
structures ~ s and ±±^ coincide, it is in fact impossible to define a transformation like D 
for which Theorem 18.21 holds for both ±±^ and ~ s . 

Now let r\ be an arbitrary LTS-to-L 2 TS-transformation, yielding an LTS-to-Kripke- 
structure transformation that is also called 77 (see Section 2]) . Then D o r/ is not a valid 
LTS-to-Kripke-structure transformation as intended in [5], for it fails to preserve ±±^ / ~ s 
and ±±b I ~dbs (cf. Definition I4.5p . Yet, it satisfies 



s±±f t ^ D o rj(s) «,flo r](t) 
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(because s ±±j t 4=> rj(s) ±±j f](t) <^ Dorj(s) ±±^ Do rj(t) and on total Kripke structures 
^ and ~ s coincide), and as such it is a suitable transformation for denning validity of 



CTL^x formula on states in LTSs. We obtain: 

Corollary 8.3. Let s and t be states in an LTS, and let r\ be an LTS-to-L 2 TS transforma- 
st±£ tiffs ^ D ° v p t \= Dor > p for all CJl* x state formulas ip. □ 

Thus, one way to make CTL^ X suitable for dealing with deadlock behaviour on LTSs is to 
stick to total Kripke structures and translate LTSs to Kripke structures by a translation 
Dor] instead of a transformation rj as proposed in [5]. This way branching bisimulation 
equivalence with explicit divergence becomes the natural counterpart of stuttering equiva- 
lence on Kripke structures, and we have the modal characterisation of Corollary 18.31 

An alternative is to stick to more natural transformations r\ meeting the criteria on Def- 
inition U31 apply the definition of validity of CTI_1 X formulas to non-total Kripke structures 
as in [5], and extend CTI_1 X to CTL^ as indicated in Section [6j 

Below we show that these solutions lead to equally expressive logics on LTSs. 

Definition 8.4. Given a set of atomic propositions, let CTL| be the logic CTI_1 X extended 
with an extra atomic proposition 5. The mappings £F from CTL^ to CTL| formulas and £ 
from CTL^ to CTL^, formulas are defined inductively by 





= p 




= p 




= -k5 A -<@(<p) 




= 


®(Aiei <Pi) 


= Ate/ 


4A ie /^) 


= Aig/^i) 








= 34^) 




= -k5 A ^@(ip) 








= Kiel ®W>i) 




= Aiei^i) 


u v') 


= 9$) U ®(ip') 


s{i) u vO 


= W)Ufy)vW)U^')) 


g>(po) 


= -F<5 


S{5) 


= -iT. 



Here 5^> = | ^ y otherwise ' an< ^ ^ ^ ^ abbreviates -ioc A Gif). 

We remark that checking whether sg \= 3ip' is simple: just substitute T for <5 and _L for 
all other atomic propositions in tp , while simplifying subformulas ipi U ip2 to ip2- The latter 
is justified because the unique infinite path starting from sg has only itself as suffix. 

Theorem 8.5. Let K be a Kripke structure and s a state in K. Then for any CTL^, state 
formula <p we have s (= tp in K iff s \= @(tp) in D{K), and for any CTLjSj state formula p 
we have s \= <p in D(K) iff s \= £{<p) in K. 

Proof. For a state formula <p, let lyflic denote the set of states s in K with s (= <p. Likewise, 
for a path formula ip, [[^Jk denotes the set of maximal paths ir in K with ir \= p. Note 
that there is a bijective correspondence between the maximal paths in K and those in D(K) 
not starting in sg. A straightforward structural induction shows that [^Jk = [[^( < / ;> )l_D(K) 
for any CTL^ state formula ip and, up to the aforementioned bijective correspondence, 
[Mk = I^(V01-D(K) f° r an y CTL^ path formula ip. 

For the second statement, let its be the unique path in D(K) starting in sg. A straight- 
forward structural induction shows that [v1d(k) ~~ { s s} = I^t^jK for any CTL| state 
formula ip and, up to the above bijective correspondence, [Mr^K) — {^s} = [[^(^)]]k for any 
CTL^ path formula ip. □ 
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In CTL^ the path modality oo is equally expressive as the path modality ip U 5 of Defi- 
nition [831 saying of a path that it is finite and all its suffixes satisfy ip. This is because 
ir \= ip (J 5 44> 7T (= -ioo A Gip and ir \= oo 4=> ir \= ^F5 <=> 7r |= -iT U 5. In this 
light, the encoding @ of CTLj^ into CTLJ merely adds a conjunct -i<5 here and there. These 
conjuncts are not optional; they enable, for instance, the correct translation of the CTLj^ 
path formula Gp by the CTLJ formula ^5 A G(5 Vp). 

Recall that in Section [6] we considered extending CTL^ X with a state formula 5 such 
that s \= S iff -i3s'. s — > s'. We then argued that this would make the resulting logic too 
expressive. Note that in our current proposal the atomic proposition 5 only holds in the 
fresh state s$ of the deadlock extension D(K) of a Kripke structure K and not in any of 
the original states of K. As a consequence, in CTL^, which does not have the next state 
modality X, we can express the property that deadlock is unavoidable (when all paths from 
an original state of K lead to deadlock), but we still cannot express the property of being 
deadlocked (i.e., the property that holds in an original state of K iff no further transitions 
are possible). 

Theorem 8.6. Also the logics CTLg and CTLqo are equally expressive. 

Proof. This follows because Q/ can be restricted to a mapping from CTLqo to CTL.,5 formula 
and <^to a mapping from CTLqo to CTL^ formula. In particular, 

@(3((p U ip')) = 3(%>(<p) U i%>')) £?(3G°» = 3G(-uS A 9(tp)) 



and 



3(4^) U S[ip')) V 3(£{ip) U (-3°°GT A 3G%>))) if s 5 \= ip' 
3(£{<p) U S{ip )) otherwise 



~ \ 3G£(ip) otherwise. □ 



9. Linear temporal logic with deadlock detection 

Linear Temporal Logic [14] (LTL) is the sublogic of CTL* that allows propositional variables 
p € AP but no other state formulas to be used as path formulas. Path formulas are applied 
to states by an implicit universal quantification: s (= ip iff s \= Vip. In this section we explore 

the programme of this paper in the setting of LTI x (LTL without the next state modality), 

and compare the results with the branching time case. 

First we characterise the equivalence induced on the states of a Kripke structure 
(S, JSf, — ►) by validity of LTI x formulas. We can conveniently use the notion of com- 
plete coloured traces in this characterisation, observing that Jzf is a colouring in the sense 
of Definition I2.31 We write s t if the states s and t have the same complete ^-coloured 

traces. Now two states satisfy the same LTI x formulas iff they have the same complete 

Jif-coloured traces. 

Theorem 9.1. s«^>t iff s \= ip <^=> t (= ip for all LTI x formulas ip. 

Proof. "Only if": Note that, to show that s t implies s \= ip <^ t \= ip, it suffices to 
prove that if -S^vr) = -Sfljo) then ir \= ip <^ p \= ip. We proceed by structural induction on ip. 
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From J^7r) = it follows that the first states of tt and p have the same colour, and 
hence if ip = p with p £ AP then tt \= ip 44> p \=ip. The cases ip = —>ip' and ip = /\^f' follow 
immediately from the induction hypothesis. 

Finally, let ip = ip' U ip" and suppose that tt \= ip. Then there exists a suffix tt' of tt 
such that tt' \= ip" and tt" \= ip' for all tt > tt" t> tt' . As J£{tt) = -S^p), there must be a suffix 
// of p such that -2^vr') = -2tp') and for every path p" such that p > p" D> p' there exists 
a path 7r" with 7r > tt" > 7r' such that J£{tt") = J£{p"). By induction, this implies p' \= ip" 
and p" \= ip' for all p > p" > p'. Hence /? |= ■0- 

"If": Suppose that s ^b^t. Then, without loss of generality, there exists a maximal 
path p from t such that for all maximal paths tt from s it holds that J£{tt) ^ £{p); we define 
an LTI x formula ip such that s \= ip, while t ^ ip. 

First, we define for every colour C, which is a subset of AP, a formula ip(C) with 
the property that tt \= ip{C) iff the first state of tt has colour C . (A possible definition of 
ip(C) would be ApeC^ ^ A P ^c — 'J 3 ? however, one can economise on the cardinality of this 
conjunction by including only one conjunct for every other colour D that actually occurs 
in the underlying Kripke structure — this way we meet the cardinality restriction imposed 
in Section [21) For every maximal path tt from s such that J£{p) is not a prefix of J*C(tt), let 

t/V = (• • ■ (ty(Co)) U (V(Ci))) U • • • ) U (iP{C k )) , 

where Co, Ci, . . . , is the shortest prefix of Jz?(p) that is not also a prefix of -2^7r). For 
every maximal path 7r from t such that «Sf(/o) is a prefix of J^7r), let 

Vv = -(••• (MA))) u (VPi))) u ■ • • ) U (iP(D k )) , 

where Dq, D\, . . . , D k is the shortest prefix of J£{tt) that is not also a prefix of S^p). Note 
that in either case we have p \= ip w while tt \/= ip n . Now, define ip by 

ip = —i pAipn j vr a maximal path from s} . 

It is not hard to check that in a Kripke structure with less then k states, for k an infinite 
cardinal, less than k of the formulas ip n are different. Now, since p is a path from t such 
that p ¥= ip, it follows that t ip. On the other hand, since 7r ^= ?/>„., it follows that 7r (= ip 
for all paths 7r from s, and hence s |= ip. □ 

In order to lift this notion of equivalence from Kripke structures to LTSs, consider a trivial 
colouring Sf, assigning the same colour to all states in an LTS, and write s =y t if s and t 
have the same complete ^coloured traces. In |8j, =j, was called divergence sensitive trace 
equivalence. The following counterpart of Theorem 14.31 indicates that =j, is on LTSs what 
is on Kripke structures: 

Theorem 9.2. On a consistent L?TS ~_jf equals =h,. 

Proof. If tt is a path from a state s and p a path from t in a consistent L?TS (S, Jzf, — >), then 

JSflM = JSJ(p) J5f(s) = JSf(i) A ^tt) = 5(p) 

where Jz?(tt) denotes the J>f-coloured trace in the associated Kripke structure (thus, forgetting 
the actions) and ,%jt) denotes the trivially coloured trace in the associated LTS (thus, 
keeping the visible actions, but forgetting the colours). This is an immediate consequence 
of the definition of consistency, and it immediately implies the theorem. □ 
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In order to make LTS-to-L 2 TS transformations useful for applying LTL on LTSs they should 
be required to preserve and reflect =y — the transformation of [5] trivially has this property. 
We then obtain: 

Corollary 9.3. Let s and t be states in an LTS, and let r\ be an LTS-to-L?TS transformation 
preserving and reflecting Then s =h, t iff s \= v ip 43- 1 \= v tp for all LTI x formulas ijj. 

The very same counterexample as used in Section [5] shows that =^ fails to be a congruence 
for ||: we have =y AO, yet 0||a ^\ A0||a. We proceed to characterise the coarsest 
congruence for || that is included in =\. We write s = AA t if s and t have the same 
complete ^coloured traces as well as the same divergent ^coloured traces; by analogy 
with the branching bisimulation variants we propose to call = AA trace equivalence with 
explicit divergence. 

Theorem 9.4. = AX is the coarsest congruence for \\ that is included in =^. 

Proof. Let T(s) denote the set of ^coloured traces of a state s, T x (s) its set of complete 
^coloured traces, and T A (s) its set of divergent ones. Clearly T A (s) C T x (s) C T(s). 
Note that T(s) is completely determined by T x (s), namely as its set of initial prefixes. 
Furthermore, let T*(s) denote the set of finite ^coloured traces of s and T°°(s) its set of 
infinite ones. Also T*(s) and T°°(s) are completely determined by T x (s), and T°°(s)CT\s). 
For any two sets of sequences S and T, let S\\T denote the set of those sequences which can 
be obtained by interleaving a sequence of S with a sequence of T. Now we have 





\t) 


= T(s)\\T(t) 


T*(s 


\t) 


= T*(s)\\T*(t) 


r°°(s 


\t) 


= T°°(s)\\T(t) UT^HT 00 ^) 


T A (s 


\t) 


= r A (s)||r*(t)uT*( s )||r A (s) 


T x (s 


i-o 


= T°°(s||i) U T A (s\\t) U T x (s)\\T x (t) 



This implies that = A 1S a congruence. By construction it is included in =^. 

Now let ~ be any congruence for || that is included in =^, and assume s ~ u. We 
need to show that s = AA u. We know already that T x (s) = T x (u). So let a € T A (u). By 
symmetry, it suffices to show that a £ T A (s). Let a be an action that does not occur in 
any path from s. Since ~ is a congruence for ||, we have s \\ a ~ t \\ a, where a is the state 
from Example 15.31 As ~ is included in =^ we obtain s \\ a =^ t \\ a. Since a G T A (it) and 
the empty trace e is in T*(a), we have a G T A (u\\a) C T x (u\\a) = T x (s\\a). Since e T x (a) 
it must be that a G T A (s\\a) and hence a G T A (s). □ 

So far the situation is analogous with the branching time case. However, from here on 

the development is different. Adding the oo-modality to LTI x does not merely add the 

expressiveness to the logic to make it characterise = AX . Instead LTLoo (obtained from LTI x 

by adding the oo-modality) characterises a strictly finer equivalence. We define ^-coloured 
deadlock traces as Jzf-coloured traces that stem from finite maximal paths, i.e. paths ending 
in a deadlock state, and for s, t states in a Kripke structure (S, J?, — >) we write s ~ A<5 t if s 
and t have the same complete Jf-coloured traces, the same divergent ^f-coloured traces, and 
the same Jf-coloured deadlock traces. Likewise, for s, t states in an LTS we write s = AS t if s 
and t have the same complete ^coloured traces, the same divergent ^coloured traces, and 
the same ^coloured deadlock traces. In [8], = AS was called divergence sensitive completed 
trace equivalence. In light of the proof of Theorem 19.21 it is straightforward to establish that 
on a consistent L 2 TS the preorders m AS and = AS coincide. 
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Theorem 9.5. s t iffs\=ip^-t\=tp for all LTLqo formulas t/j. 

Proof. Let Jf <5 (7r) be the ^f-coloured trace of a path ir as given in Definition 12.31 but with 
a symbol 5 tagged at the end iff tt is finite and maximal (i.e. ending in deadlock). Then 
s t iff for every path ir from s there is a path p from t such that J? s (tt) = Jzf^p), and 
vice versa. 

"Only if": To show that s t implies s \= ip t \= ij), it suffices to prove that if 
J2? s (tt) = J£ S (p) then tt \= if] 43- p \= ip. This proceeds exactly as in the proof of Theorem l9.14 
except that there is one extra case to consider, namely that ifi = oo: Suppose ir \= oo. Then 
J? s (ir) does not end in 5, so J? S (p) does not end in 5, so p (= oo. 

"If": Suppose that s t. Then, without loss of generality, there exists a maximal 
path p from t such that for all maximal paths tt from s it holds that Jz? s (ir) ^ «Sf' 5 (p). As 

in the proof of Theorem 19.11 we define an LTI x formula ip such that s \= ip, while t \/= ip. 

For 7r a maximal path from s such that Jz^7r) ^ £{p), we define the formula ip n exactly as 
in the proof of Theorem 19.11 In case £{ir) = £{p) but J£ s {tt) ^ ^ S (p) we take ift^ to be 
oo or -ioo. The definition of tfj remains the same. □ 

Corollary 9.6. Let s and t be states in an LTS, and let n be an LTS-to-L 2 TS transformation 
preserving and reflecting =^ 5 . Then s t iff s \= v ip <J=> t 1=^ ip for all LTLqo formulas if). 

The deadlock extension of Definition 18.11 gives the same result. 

Theorem 9.7. Let s and t be states in an LTS, and let r\ be an LTS-to-L?TS transformation 

preserving and reflecting = AS . Then s =^ S t iff s ^= Dor i -0 ^ t \^-Dor) ^ j or |_~p| x 

formulas tp. 

Proof. Just like Corollary 18.31 this follows immediately from the observations that s t 
within a Kripke structure K iff s t within the Kripke structure D(K) (cf. Theorem l8.2p . 
and that on total Kripke structures the equivalence relations and coincide. □ 

Kaivola & Valmari [11] study equivalences on LTSs with the property that under 
all plausible transformations of LTSs into Kripke structures two equivalent states (trans- 
formed into states of Kripke structures) satisfy the same formulas in either LTI x or LTLqo. 

They characterise the coarsest such congruences for a selection of standard process algebra 
operators — including the merge, but also a partially synchronous parallel composition as 

well as nondeterministic choice — as iV-DF-D-equivalence (for LTI x) an d CFF-D-equivalence 

(for LTLqo). In turns out that neither nor are congruences for the partially 

synchronous parallel composition, or for nondeterministic choice. Hence to satisfy the re- 
quirement of being a congruence for these operators, iVDFD-equivalence is necessarily finer 
than =t X , and CFFD-equivalence is necessarily finer than =^' 5 . The question of raising the 

expressiveness of LTI x to the level where it characterises NDFD- or CFFD-equivalence 

directly remains open. 

10. Conclusion 

In this paper we enabled CTI x an d CTL1 X to be used as logics on labelled transition 

systems (LTSs) while taking deadlock behaviour into account. This could be accomplished 

by adding a modality to CTL1 X , by adapting the semantics of the G-modality (in CTI x ) 5 

or by adapting the translations from [5] from LTSs to Kripke structures. We have shown 
that these approaches all lead to equally expressive logics on LTSs. Our work allows the 
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rich tradition of verification by equivalence checking to be combined with the full expressive 
power of CJL*_ X . Taking advantage of this possibility is left for further research. 
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